Search by IP returns non-matching records

i-hate-snakes · October 1, 2021, 8:45pm

I’m trying a search to identify blocked packets from internal hosts. I have the search term:
action:block AND ip_ver:4 AND protocol:tcp AND reason:match and source_ip:/192.168/

This doesn’t work…it returns a whole bunch of records that are a different source_ip.

I tried:
action:block AND ip_ver:4 AND protocol:tcp AND reason:match and source_ip:192.168.1.48

Which again returned a whole bunch of records where the source_ip (which is getting parsed correctly) is not 192.168.1.48.

I’m new to Graylog, but this seems pretty straightforward. What am I missing?

gsmith · October 1, 2021, 10:49pm

Hello && Welcome

It’s unclear what is going on. To help you better resolve your problem take a look here.

Thanks

i-hate-snakes · October 3, 2021, 12:21am

Helpful
Welcome to Graylog Community — thanks for contributing!

Be kind to your fellow community members.

Does your reply improve the conversation?

Constructive criticism is welcome, but criticize ideas, not people.

i-hate-snakes · October 3, 2021, 3:16pm

For those of you who aren’t filling out the proper TPS report, the answer to the question above is that the last “and” in the search query was not capitalized.

action:block AND ip_ver:4 AND protocol:tcp AND reason:match and source_ip:192.168.1.48

action:block AND ip_ver:4 AND protocol:tcp AND reason:match AND source_ip:192.168.1.48

system · October 17, 2021, 3:17pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.